Cisco Community
English
Register
Make a difference. Your participation will help fund Save the Children. LEARN MORE
Register
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Announcements
1093
Views
0
Helpful
2
Replies
Antonio Macia
Participant
Participant
‎06-05-2020 01:40 AM
‎06-05-2020 01:40 AM

Certificate and SAML auth with AnyConnect

Hi,

Is it possible to perform certificate authentication in ASA with AnyConnect together with SAML using Cisco DUO Access Gateway?

 

Thanks.

Labels:
0 Helpful
2 REPLIES 2
Rob Ingram
VIP Mentor VIP Mentor
VIP Mentor
‎06-05-2020 01:56 AM
‎06-05-2020 01:56 AM

Hi,

Yes that should be possible. With the ASA, under the tunnel-group configuration you can specify "aaa" for the DUO authentication AND "certificate" for the certificate authentication. The ASA will need to trust and validate the certificate presented by the client computer.

 

tunnel-group RAVPN webvpn-attributes
 authentication aaa certificate

HTH

0 Helpful
Antonio Macia
Participant
Participant
In response to Rob Ingram
‎06-05-2020 02:09 AM
‎06-05-2020 02:09 AM

Hi,

 

I already tried that but it doesn't work. Notice that selecting any other option different from "SAML" will make ASA to ignore the SAML Server configured below and use only the AAA server defined.

It should work using the DUO's Authentication Proxy as secondary AAA server, since it is a regular RADIUS server, but it has some limitations compared with the Access Gateway.

 

Regards.

0 Helpful
Latest Contents
What’s New in Cisco Secure Endpoint—November 2021
Created by kasachs on 11-29-2021 03:46 PM
1
0
1
0
We’re excited to announce new capabilities with Secure Endpoint that allow you to simplify your security and maximize your security operations: Unify your security stack and reduce agent fatigue with Cisco Secure Client; harness integrated risk-based vuln... view more
(Podcast) S8|E47 Turbocharge with Cisco Secure Endpoint
Created by Amilee San Juan on 11-22-2021 06:37 PM
1
5
1
5
Listen: https://smarturl.it/CCRS8E47 Follow us: twitter.com/ciscochampions Ransomware, fileless malware, and zero-day attacks continue to target organizations around the world. In response, organizations have resorted to deploying a variety of d... view more
General information on Cisco TC-NAC with ISE
Created by Jason Kunst on 11-18-2021 11:00 AM
0
5
0
5
This is a general information page for Cisco Threat Centric (TC-NAC) with ISE   Threat Centric Network Access Control (TC-NAC) feature enables you to create authorization policies based on the threat and vulnerability attributes received from the th... view more
The 2021 IT Blog Awards is now accepting submissions!
Created by caiharve on 11-16-2021 02:52 PM
0
0
0
0
The 2021 IT Blog Awards, hosted by Cisco, is now open for submissions. Submit your blog, vlog or podcast today. For more information, including category details, the process, past winners and FAQs, check out: https://www.cisco.com/c/en/us/t... view more
Secure Endpoint/Amp for Endpoints-Decommissioning Legacy Clo...
Created by Brett Murrell on 11-02-2021 03:01 AM
0
5
0
5
Problem Description  Cisco Secure Endpoint (formerly AMP for Endpoints) will decommission legacy cloud servers, which results in Legacy Windows Connector Versions 3.x/4.x and Mac Connector Version 1.0.x ceasing to ... view more
Ask a Question
Create
+ Discussion
+ Blog
+ Document
+ Video
+ Project Story
Find more resources
Discussions
Blogs
Documents
Events
Videos
Project Gallery
New Community Member Guide
Related support document topics
Recognize Your Peers
Spotlight Award Nomination
Polls
Which of these topics should we host an event in the Community?

Top Choice: ISE- Guest and Posture Troubleshooting (46%)

Vote
Hide Results
Content for Community-Ad